Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C2733A1302 for ; Mon, 20 Apr 2020 16:37:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.699 X-Spam-Level: X-Spam-Status: No, score=-15.699 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cZvxf2QLokSS for ; Mon, 20 Apr 2020 16:37:09 -0700 (PDT) Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 833253A12FF for ; Mon, 20 Apr 2020 16:37:09 -0700 (PDT) Received: by mail-wm1-x32b.google.com with SMTP id x25so1501289wmc.0 for ; Mon, 20 Apr 2020 16:37:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nqaqcDOcJ+CdNcli8BJCNLUSJuDHbjwZDQacwU8PsnA=; b=AGyglwfqF8LAfjsTTKdNqA3dkxNHQzexca2z1BNs1+HDCdV6JIZuC414KanbzG+DCY C5DabuDZLBGtEZ/SRtiYndAxznFHlUuVG1cJKbhmqAKPqpyG18YMVOzsEC8WCB/fEgyJ 6tXDrFHTOTpZ7cm6VcmIhMlv8z7kYkvWMzHd0JOFvWkSNWZHaoQdaPQ7rFPjO+mfdcS9 T4/BgXQbDkSm4I8xKKFPFiCjd6liYmA4blzkJGdrk9/O5kQo3YKxcXDIlyrud91g73S3 5QlN/pHAc4tsn+EJprLt6fSnR2+ZQH5NB4Pn5j1GKeQZy7YQx/0D1CA/hQGvEGndArwd toNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nqaqcDOcJ+CdNcli8BJCNLUSJuDHbjwZDQacwU8PsnA=; b=bWBJzp5d1ZWWsF+tZ6Z+j8y7PgCrit0tO87uqUtusRyldhPALqoOXB/zv2dU5l5M52 vkOanjRc3geu/jqSqjlsmcV5+O7rmyV08O9nxoRDyINmIGyimHhorRsYJEw6oSs6WRUI EhRo6EtOhqCSJu/K+OxGRWOcWKBDhIIJp0u13mN9uNJyFpFowDFgSa0SF6LAF3cXjFFy YtKe4ADDNKqvvXUdcHR0ephjahprPok6KQGfLjBBp1o5iOD+KB6oh/ewyhlZUbXx9KZk HhA59yjxGj1erqmTv+XPZXQ++qW3T9w0cG0ocI/ujucntZm7bJNoimMNz+1nGOC6vRik 649w== X-Gm-Message-State: AGi0PuY/HUJ/ZXPIqwm0uC4elirkxvu+O1yp7kybAlHsBVq5FagGqVt5 ow0SaOsg4vsLvDFahkWqnM6xbxwPkMSUHTxjAeBWX66+2ao= X-Google-Smtp-Source: APiQypIF9c13+eDqLaiZ/xdiBQmuIvPinOf7PJa51hHB4p9BiboRpPWSUMsAX817MGGU5zwV6f39sxDpZwF7XQOtRY0= X-Received: by 2002:a05:600c:2284:: with SMTP id 4mr1704346wmf.97.1587425827379; Mon, 20 Apr 2020 16:37:07 -0700 (PDT) MIME-Version: 1.0 References: <20200417101932.GA2035@wakko.flat11.house> In-Reply-To: <20200417101932.GA2035@wakko.flat11.house> From: Ben Schwartz Date: Mon, 20 Apr 2020 19:36:55 -0400 Message-ID: To: Alessandro Ghedini Cc: dnsop Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="00000000000097a9b005a3c1606b" Archived-At: Subject: Re: [DNSOP] Comments on draft-ietf-dnsop-svcb-httpssvc-02 X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Apr 2020 23:37:14 -0000 --00000000000097a9b005a3c1606b Content-Type: multipart/alternative; boundary="0000000000008ca73805a3c1602f" --0000000000008ca73805a3c1602f Content-Type: text/plain; charset="UTF-8" On Fri, Apr 17, 2020 at 6:20 AM Alessandro Ghedini wrote: > Hello, > > First off, I have started implementing support for SVCB and HTTPSSVC as > part of > the dnspython library [0] and I'd be interested in doing some interop > testing > with other people's implementations. > > I also have a few comments/questions about the draft, apologies if they > have > already been discussed in the past (haven't been following the draft from > the > start). > > 1. For interop testing purposes it would be very helpful if the draft > listed > commonly agreed upon code-points for the new RR types. Ideally in the form > of an > official early assignment from IANA, but if that's not possible picking a > couple > of codepoints at random from the "private use" range would also be > helpful. In > my implementation I'm currently using "65481" for SVCB and "65482" for > HTTPSSVC. > > 2. The structure of the draft is a bit odd, as it lists a bunch of examples > before introducing any of the records. This was a bit confusing to me, so > I'd > suggest moving sections 1.5 and 1.6 _before_ the examples (that is, > immediately > after the introduction). It might also be a good idea to just move the > examples > to an Appendix instead. > Noted as https://github.com/MikeBishop/dns-alt-svc/issues/135 3. Would it make sense to move the ESNI/ECHO config paramenter to the > ESNI/ECHO > draft instead? This way the DNS draft wouldn't need to depend on the ESNI > draft > (so e.g. if ESNI ends up taking longer, this draft could be published > without > having to wait for it). > That's an interesting question. My main concern with separating it is that ECHO is the only reason we need to disable fallback, and the need to support clients that can't use fallback is a major factor in the design. > 4. What is the point of differentiating between AliasForm and ServiceForm? > Like, > couldn't the draft just say that the SvcFieldValue is an optional field > and be > done with that? It seems like not having to explicitly differentiate the > two > cases would simplify the draft a bit without sacrificing much, though I > might > be missing something. > It's true that there is no great distinction to an authoritative server. However, the resolution procedure is quite different. If there is an AliasForm, the resolver should follow only one RR (ignoring all the others), and should re-query SVCB. Otherwise, it should follow all the RRs, but only querying A and AAAA. (To an authoritative, the only distinction I can think of is that "." is not allowed for AliasForm, because it represents a reference cycle.) > 5. Section 2.1.1 says > > The presentation format for SvcFieldValue is a whitespace-separated > list of elements representing a key-value pair, with an absent value > or "=" indicating an empty value. > > It took me longer than I'd like to admit to understand the "with an absent > value > or "=" indicating an empty value" part. I'd suggest rewording that > paragraph to > something like: > > The presentation format for SvcFieldValue is a whitespace-separated > list of > key=value pairs (e.g. "key123=value1 keys456=value2"). When the value, > or > both the value and the "=" are omitted, the value should be interpreted > as > being empty. > > Or something better :) > Noted as https://github.com/MikeBishop/dns-alt-svc/issues/136 > 6. In Section 2.2 it says (in reference to param field values): > > o an octet string of the length defined by the previous field. > > It might be good to say here that the format of this octet string is > defined > according to the corresponding SvcParamKey, and then reference section 6 > for > ths currently defined keys. The same applies for section 2.1.1 for the > presentation format. > > 7. Section 4.3 says: > > All DNS servers SHOULD treat the SvcParam portion of the SVCB RR... > > Should it be SvcFieldValue instead of SvcParam? "SvcParam" is not mentioned > anywhere else. > You're right. https://github.com/MikeBishop/dns-alt-svc/pull/137 8. Maybe I'm missing something, but the following sentence in Section 6.4 > seems > wrong: > > When SvcDomainName is ".", server operators SHOULD NOT include these > hints, > because they are unlikely to convey any performance benefit. > > My understanding is that ipv4hint and ipv6hint are the way to solve the > ESNI > multi-CDN problem Not exactly. Hints are not required for that. Instead, the requirement is that each RR contains a matched SvcFieldValue and SvcDomainName, from the same CDN. The A/AAAA lookup for the SvcDomainName then provides the IPs. The purpose of IP hints is to reduce resolution latency in that scenario, only in the case where the recursive resolver is not SVCB-aware, by avoiding the need to wait for the A/AAAA lookup. , so let's say I have "www.example.net" that CNAMEs to both > "cname.cdn-a.example" and "cname.cdn-b.example". A client queries both A > and > HTTPSVC concurrently for "www.example.net", and receives two answers (the > answer > to the A query points to CDN A, while the answer to HTTPSSVC points to CDN > B): > > www.xample.net 3600 IN CNAME cname.cdn-a.example > cname.cdn-a.example 3600 IN A 192.0.2.1 > > and > > www.xample.net 3600 IN CNAME cname.cdn-b.example > cname.cdn-b.example 3600 IN HTTPSSVC 1 . alpn=h3 esniconfig="..." > > (You have two distinct CNAMEs for "www.xample.net" listed there. Technically this is not allowed by the CNAME specification. However, we can ignore that issue.) > My understanding is that in this case the client could end up connecting to > 192.0.2.1 (CDN A) with CDN B's ESNI config (or e.g. with the wrong ALPN). No, this is not possible. When using B's ESNI config, the only allowed IP addresses are those for cname.cdn-b.example. In this case (as with any case where SvcDomainName=".", IP hints would not provide a performance advantage, because HTTPSSVC is always queried in parallel with A/AAAA, so the record for cname.cdn-b.example will come back along with the corresponding IPs anyway. ... > 9. Speaking of multi-CDN, AFAICT the problem is mentioned only once in the > whole > draft and only in relation to ESNI. However this is not ESNI-specific and > also > affects e.g. HTTP/3 as per the example above. So I think it would be > useful to > go into a little more detail on this. > OK, please suggest text. > 10. Section B.2: s/pther/other/ > Will fix. > > Cheers > > [0] https://github.com/rthalley/dnspython/pull/452 > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > --0000000000008ca73805a3c1602f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Fri, Apr 17, 2020 at 6:20 AM Aless= andro Ghedini <alessandro@ghedi= ni.me> wrote:
Hello,

First off, I have started implementing support for SVCB and HTTPSSVC as par= t of
the dnspython library [0] and I'd be interested in doing some interop t= esting
with other people's implementations.

I also have a few comments/questions about the draft, apologies if they hav= e
already been discussed in the past (haven't been following the draft fr= om the
start).

1. For interop testing purposes it would be very helpful if the draft liste= d
commonly agreed upon code-points for the new RR types. Ideally in the form = of an
official early assignment from IANA, but if that's not possible picking= a couple
of codepoints at random from the "private use" range would also b= e helpful. In
my implementation I'm currently using "65481" for SVCB and &q= uot;65482" for HTTPSSVC.

2. The structure of the draft is a bit odd, as it lists a bunch of examples=
before introducing any of the records. This was a bit confusing to me, so I= 'd
suggest moving sections 1.5 and 1.6 _before_ the examples (that is, immedia= tely
after the introduction). It might also be a good idea to just move the exam= ples
to an Appendix instead.

Noted as=C2=A0<= a href=3D"https://github.com/MikeBishop/dns-alt-svc/issues/135">https://git= hub.com/MikeBishop/dns-alt-svc/issues/135=C2=A0

3. Would it make sense to move the ESNI/ECHO config paramenter to the ESNI/= ECHO
draft instead? This way the DNS draft wouldn't need to depend on the ES= NI draft
(so e.g. if ESNI ends up taking longer, this draft could be published witho= ut
having to wait for it).

That's an i= nteresting question.=C2=A0 My main concern with separating it is that ECHO = is the only reason we need to disable fallback, and the need to support cli= ents that can't use fallback is a major factor in the design.
=C2=A0
4. What is the point of differentiating between AliasForm and ServiceForm? = Like,
couldn't the draft just say that the SvcFieldValue is an optional field= and be
done with that? It seems like not having to explicitly differentiate the tw= o
cases would simplify the draft a bit without sacrificing much, though I mig= ht
be missing something.

It's true tha= t there is no great distinction to an authoritative server.=C2=A0 However, = the resolution procedure is quite different.=C2=A0 If there is an AliasForm= , the resolver should follow only one RR (ignoring all the others), and sho= uld re-query SVCB.=C2=A0 Otherwise, it should follow all the RRs, but only = querying A and AAAA.

(To an authoritative, the onl= y distinction I can think of is that "." is not allowed for Alias= Form, because it represents a reference cycle.)
=C2=A0
5. Section 2.1.1 says

=C2=A0 =C2=A0The presentation format for SvcFieldValue is a whitespace-sepa= rated
=C2=A0 =C2=A0list of elements representing a key-value pair, with an absent= value
=C2=A0 =C2=A0or "=3D" indicating an empty value.

It took me longer than I'd like to admit to understand the "with a= n absent value
or "=3D" indicating an empty value" part. I'd suggest re= wording that paragraph to
something like:

=C2=A0 =C2=A0The presentation format for SvcFieldValue is a whitespace-sepa= rated list of
=C2=A0 =C2=A0key=3Dvalue pairs (e.g. "key123=3Dvalue1 keys456=3Dvalue2= "). When the value, or
=C2=A0 =C2=A0both the value and the "=3D" are omitted, the value = should be interpreted as
=C2=A0 =C2=A0being empty.

Or something better :)

Noted as=C2=A0https://gith= ub.com/MikeBishop/dns-alt-svc/issues/136
=C2=A0
6. In Section 2.2 it says (in reference to param field values):

=C2=A0 =C2=A0o=C2=A0 an octet string of the length defined by the previous = field.

It might be good to say here that the format of this octet string is define= d
according to the corresponding SvcParamKey, and then reference section 6 fo= r
ths currently defined keys. The same applies for section 2.1.1 for the
presentation format.

7. Section 4.3 says:

=C2=A0 =C2=A0All DNS servers SHOULD treat the SvcParam portion of the SVCB = RR...

Should it be SvcFieldValue instead of SvcParam? "SvcParam" is not= mentioned
anywhere else.


=
8. Maybe I'm missing something, but the following sentence in Section 6= .4 seems
wrong:

=C2=A0 =C2=A0When SvcDomainName is ".", server operators SHOULD N= OT include these hints,
=C2=A0 =C2=A0because they are unlikely to convey any performance benefit.
My understanding is that ipv4hint and ipv6hint are the way to solve the ESN= I
multi-CDN problem

Not exactly.=C2=A0 Hints = are not required for that.=C2=A0 Instead, the requirement is that each RR c= ontains a matched SvcFieldValue and SvcDomainName, from the same CDN.=C2=A0= The A/AAAA lookup for the SvcDomainName then provides the IPs.
<= br>
The purpose of IP hints is to reduce resolution latency in th= at scenario, only in the case where the recursive resolver is not SVCB-awar= e, by avoiding the need to wait for the A/AAAA lookup.

=
, so let's say I have= "www.example.net" that CNAMEs to both
"cname.cdn-a.example" and "cname.cdn-b.example". A clie= nt queries both A and
HTTPSVC concurrently for "www.example.net", and receives two ans= wers (the answer
to the A query points to CDN A, while the answer to HTTPSSVC points to CDN = B):

=C2=A0 =C2=A0 www.xample.net=C2=A0 =C2=A0 =C2=A0 3600 IN CNAME cname.cdn-= a.example
=C2=A0 =C2=A0 cname.cdn-a.example 3600 IN A 192.0.2.1

and

=C2=A0 =C2=A0 www.xample.net=C2=A0 =C2=A0 =C2=A0 3600 IN CNAME cname.cdn-= b.example
=C2=A0 =C2=A0 cname.cdn-b.example 3600 IN HTTPSSVC 1 . alpn=3Dh3 esniconfig= =3D"..."


(You have two distinct CNAMEs for &quo= t;www.xample.net" listed there.= =C2=A0 Technically this is not allowed by the CNAME specification.=C2=A0 Ho= wever, we can ignore that issue.)
=C2=A0
My understanding is that in this case the client could end up connecting to=
192.0.2.1 (CDN A) with CDN B's ESNI config (or e.g. with the wrong ALPN= ).

No, this is not possible.=C2=A0 When usi= ng B's ESNI config, the only allowed IP addresses are those for cname.c= dn-b.example.

In this case (as with any case where= SvcDomainName=3D".", IP hints would not provide a performance ad= vantage, because HTTPSSVC is always queried in parallel with A/AAAA, so the= record for cname.cdn-b.example will come back along with the corresponding= IPs anyway.

...
9. Speaking of multi-CDN, AFAICT the problem is menti= oned only once in the whole
draft and only in relation to ESNI. However this is not ESNI-specific and a= lso
affects e.g. HTTP/3 as per the example above. So I think it would be useful= to
go into a little more detail on this.

O= K, please suggest text.
=C2=A0
10. Section B.2: s/pther/other/

Will fi= x.
=C2=A0

Cheers

[0] https://github.com/rthalley/dnspython/pull/452=

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
--0000000000008ca73805a3c1602f-- --00000000000097a9b005a3c1606b Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIPBgYJKoZIhvcNAQcCoIIO9zCCDvMCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg ggxpMIIEkjCCA3qgAwIBAgINAewckktV4F6Q7sAtGDANBgkqhkiG9w0BAQsFADBMMSAwHgYDVQQL ExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMK R2xvYmFsU2lnbjAeFw0xODA2MjAwMDAwMDBaFw0yODA2MjAwMDAwMDBaMEsxCzAJBgNVBAYTAkJF MRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSEwHwYDVQQDExhHbG9iYWxTaWduIFNNSU1FIENB IDIwMTgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCUeobu8FdB5oJg6Fz6SFf8YsPI dNcq4rBSiSDAwqMNYbeTpRrINMBdWuPqVWaBX7WHYMsKQwCOvAF1b7rkD+ROo+CCTJo76EAY25Pp jt7TYP/PxoLesLQ+Ld088+BeyZg9pQaf0VK4tn23fOCWbFWoM8hdnF86Mqn6xB6nLsxJcz4CUGJG qAhC3iedFiCfZfsIp2RNyiUhzPAqalkrtD0bZQvCgi5aSNJseNyCysS1yA58OuxEyn2e9itZJE+O sUeD8VFgz+nAYI5r/dmFEXu5d9npLvTTrSJjrEmw2/ynKn6r6ONueZnCfo6uLmP1SSglhI/SN7dy L1rKUCU7R1MjAgMBAAGjggFyMIIBbjAOBgNVHQ8BAf8EBAMCAYYwJwYDVR0lBCAwHgYIKwYBBQUH AwIGCCsGAQUFBwMEBggrBgEFBQcDCTASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBRMtwWJ 1lPNI0Ci6A94GuRtXEzs0jAfBgNVHSMEGDAWgBSP8Et/qC5FJK5NUPpjmove4t0bvDA+BggrBgEF BQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9yb290cjMw NgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LXIzLmNybDBn BgNVHSAEYDBeMAsGCSsGAQQBoDIBKDAMBgorBgEEAaAyASgKMEEGCSsGAQQBoDIBXzA0MDIGCCsG AQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzANBgkqhkiG9w0B AQsFAAOCAQEAwREs1zjtnFIIWorsx5XejqZtqaq5pomEvpjM98ebexngUmd7hju2FpYvDvzcnoGu tjm0N3Sqj5vvwEgvDGB5CxDOBkDlmUT+ObRpKbP7eTafq0+BAhEd3z2tHFm3sKE15o9+KjY6O5bb M30BLgvKlLbLrDDyh8xigCPZDwVI7JVuWMeemVmNca/fidKqOVg7a16ptQUyT5hszqpj18MwD9U0 KHRcR1CfVa+3yjK0ELDS+UvTufoB9wp2BoozsqD0yc2VOcZ7SzcwOzomSFfqv7Vdj88EznDbdy4s fq6QvuNiUs8yW0Vb0foCVRNnSlb9T8//uJqQLHxrxy2j03cvtTCCA18wggJHoAMCAQICCwQAAAAA ASFYUwiiMA0GCSqGSIb3DQEBCwUAMEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIz MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTA5MDMxODEwMDAw MFoXDTI5MDMxODEwMDAwMFowTDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzAR BgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDMJXaQeQZ4Ihb1wIO2hMoonv0FdhHFrYhy/EYCQ8eyip0EXyTLLkvhYIJG 4VKrDIFHcGzdZNHr9SyjD4I9DCuul9e2FIYQebs7E4B3jAjhSdJqYi8fXvqWaN+JJ5U4nwbXPsnL JlkNc96wyOkmDoMVxu9bi9IEYMpJpij2aTv2y8gokeWdimFXN6x0FNx04Druci8unPvQu7/1PQDh BjPogiuuU6Y6FnOM3UEOIDrAtKeh6bJPkC4yYOlXy7kEkmho5TgmYHWyn3f/kRTvriBJ/K1AFUjR AjFhGV64l++td7dkmnq/X8ET75ti+w1s4FRpFqkD2m7pg5NxdsZphYIXAgMBAAGjQjBAMA4GA1Ud DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSP8Et/qC5FJK5NUPpjmove4t0b vDANBgkqhkiG9w0BAQsFAAOCAQEAS0DbwFCq/sgM7/eWVEVJu5YACUGssxOGhigHM8pr5nS5ugAt rqQK0/Xx8Q+Kv3NnSoPHRHt44K9ubG8DKY4zOUXDjuS5V2yq/BKW7FPGLeQkbLmUY/vcU2hnVj6D uM81IcPJaP7O2sJTqsyQiunwXUaMld16WCgaLx3ezQA3QY/tRG3XUyiXfvNnBB4V14qWtNPeTCek TBtzc3b0F5nCH3oO4y0IrQocLP88q1UOD5F+NuvDV0m+4S4tfGCLw0FREyOdzvcya5QBqJnnLDMf Ojsl0oZAzjsshnjJYS8Uuu7bVW/fhO4FCU29KNhyztNiUGUe65KXgzHZs7XKR1g/XzCCBGwwggNU oAMCAQICEAGuEkclHdvQz4ddwMbsMFgwDQYJKoZIhvcNAQELBQAwSzELMAkGA1UEBhMCQkUxGTAX BgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExITAfBgNVBAMTGEdsb2JhbFNpZ24gU01JTUUgQ0EgMjAx ODAeFw0yMDAxMDcwODIyMjJaFw0yMDA3MDUwODIyMjJaMCIxIDAeBgkqhkiG9w0BCQEWEWJlbWFz Y0Bnb29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwrwIVY3rOZp1Papu Yl53bMQ2H713K9788lbE9itKEL7tJAJO7GqZGRbfxPUVRRDYPntAf+j0JZZOvf9Ye6uN12SNW+v1 V0o5YeXtXMpNOkprr0v0v7qc80yhbq8RIIiX4usDJwuDGbcL/VKnlCTDPRp+VWUB8rkaqObapi/F BGiPWXBqiT36W5opr6eJjUHuGiqzmK/1lCXMZSn6n3wkkbnonFsF5G4kfie+n/DDNd1hlqd06bzB rCnToS+BV/Y9BroXiOjVWJnMe/8Rce7zA8Dzr0kU+gacBArnMiDyCvUGjngbASU7VaIPJBc/zBzI L5QoeUAfgEJcGvFIEJUUIwIDAQABo4IBczCCAW8wHAYDVR0RBBUwE4ERYmVtYXNjQGdvb2dsZS5j b20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNVHQ4E FgQU+WKCBtTdknJDbiAjMsikOsbLHoAwTAYDVR0gBEUwQzBBBgkrBgEEAaAyASgwNDAyBggrBgEF BQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wUQYIKwYBBQUHAQEE RTBDMEEGCCsGAQUFBzAChjVodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc3Nt aW1lY2EyMDE4LmNydDAfBgNVHSMEGDAWgBRMtwWJ1lPNI0Ci6A94GuRtXEzs0jA/BgNVHR8EODA2 MDSgMqAwhi5odHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL2NhL2dzc21pbWVjYTIwMTguY3JsMA0G CSqGSIb3DQEBCwUAA4IBAQA2eHjHcJ8kaiqDQGv7TdNEBFiDI8omlzpnnuQFciHkWhkfi3mQwuuZ IQIHd+JNpV0TQ8TqMNAr4YSPWOjwTd3UNxm+qghV3KC9j/Ygq39OzUlqxWv2lFH8mGFpbview2GI xZWXTCRbeod3ZevhC0lOUVVx4NCHe5yWSwjEpZHUilSnjyqN7ssC0eYQBylFOf2xVxu1JB8Xewgw Vk/DeOzsapxxjiuw2UZsDZbtVJvEx/C34GkACLR4Lm0k6O5ujAiDBkyy2nklxLhmKb9fyiH51B3j oRE8y99FJOCHoye9E/P2tK12x9w9ZeF07eWAdX3OkhTne1DitwLidojuyFm9MYICYTCCAl0CAQEw XzBLMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEhMB8GA1UEAxMYR2xv YmFsU2lnbiBTTUlNRSBDQSAyMDE4AhABrhJHJR3b0M+HXcDG7DBYMA0GCWCGSAFlAwQCAQUAoIHU MC8GCSqGSIb3DQEJBDEiBCBxBjUSK1YHccxArVnco+FzwNcewyKt1miRhhDT23gd7DAYBgkqhkiG 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMDA0MjAyMzM3MDhaMGkGCSqGSIb3 DQEJDzFcMFowCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwCwYJKoZIhvcNAQEKMAsGCSqGSIb3DQEBBzALBglghkgBZQMEAgEwDQYJKoZIhvcNAQEBBQAE ggEAlsjbEBaAswex1vKeq6Nb2xaMtYZnXNkhRlgnZgIW2eYT7/BR6BW+8oToHvMXJeztn7Kj04oI 0DcFdyi9Y1FL/iizccmCdWvTUB+KXmzDqKPf6EhspcbCvD7Sx23QwOeM3i+MjtSBtJePZxbYbCDe Uvsf8oGWZKQsVUYJUvgdgrnNFwK0m1D89tarDk6eLM9XHNXdTib8wGLuKu14e7JCV/A9kkJTq6vq uFl3pEW0Sjxk2T68L8Bhto/0kfFn8FFIfVLNa6qvIp4TrmZrY7+a8hSeLMoUI8iWAzDqCaDB3J1p rSHVDpBMB82nwsZ/AiOGeDCHT/38/MTdOqVKEQndsQ== --00000000000097a9b005a3c1606b--